Nymaim Starts Using PowerShell to Download Payload

A recently discovered variant of the Nymaim dropper brings several new features and capabilities, including new obfuscation and delivery methods, the use of PowerShell, and what researchers call an interesting anti-analysis and anti-detection mechanism.

Nymaim has been around since 2013 and it has mainly been used as a dropper for other threats, including file-encrypting ransomware and banking Trojans. The malware has not attracted too much attention since 2013, until this year, when ESET reported seeing a 63 percent increase in infections compared to 2015. Nymaim’s authors also recompiled the malware with code taken from Gozi ISFB and created a hybrid banking Trojan dubbed GozNym.

ESET reported in July that Nymaim had replaced drive-by downloads as the delivery mechanism with spear-phishing emails carrying Macro-enabled Word documents. Verint’s Cyber Research team also noticed this change, but the company says a new variant it has analyzed also includes several other significant changes.

The attacks observed by Verint appeared to target high-level managers. In one of the emails seen by the company, the malicious email purported to come from a corporate financing manager and was sent to a VP of human resources. The message was well designed and it included both the recipient’s full name and office address.

When victims open the attached file, they are presented with a “protected” document and instructed to enable content, which leads to Macro code getting executed. Experts said strings and Macro methods were obfuscated to prevent analysis.

One new feature spotted in Nymaim involves the use of PowerShell to download a first-stage payload. However, before the payload is downloaded, the macro code queries MaxMind’s GeoIP services. The response obtained from this query is analyzed to determine if it includes various strings that could indicate the presence of security or analysis tools.

McAfee recently published a blog post detailing how Macro malware has been abusing MaxMind to avoid detection by security products.

In the case of Nymaim, if the MaxMind query response includes a string of interest, such as “data center,” “cloud” or the names of security vendors, the first stage payload is not downloaded.

“This is another perfect example of how even relatively widespread threats are employing significantly more advanced methods of attack, distribution and obfuscation that not that long ago, would have been found in only the most advanced and targeted threats,” Verint researchers said in a blog post. “This trend is just getting stronger and means that “advanced” threats will continue to affect a wider range of victims than ever before.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.